A copy of the Cyber Rules and Guidance 2021 can be found here.
Phishing can take place via email, telephone, social media or text messaging, with the majority of attempts via email.
Businesses should ensure that they have appropriate identification and protection measures in place to identify, protect and detect attempted phishing emails.
The National Cyber Security Centre advises that all businesses adopt a multi-layered approach which will significantly improve resilience against Phishing attempts. As well as the more technical layers of defence, such as implementing anti-spoofing controls, setting up 2Factor Authentication (2FA), using a proxy server and ensuring browsers are up to date, other measures include:
- Filtering or blocking incoming phishing emails;
- Providing ongoing, effective training helping employees to spot phishing emails; and
- Creating an environment where employees can seek help through clear reporting, feedback and no-blame culture.
Businesses should also ensure that they have a fully tested Cyber incident response plan (the “Plan”). The Plan should clearly set out how the business detects, investigates, remediates, recovers and learns from a Phishing attempt / attack. The Plan, should include the key stakeholders that are required to undertake specific activities, including any required external notification / reporting.
Should you require assistance with your Plan or assistance in general complying with the Cyber Rules and Guidance 2021 please contact our Head of Operations and Cyber Security, Sarah Sarre.